projects / project / luci.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 697db81) | patch
luci-base: dispatcher: reject non-POST requests with any cbi.submit value
authorJo-Philipp Wich <jo@mein.io>
Wed, 4 Apr 2018 22:15:22 +0000 (00:15 +0200)
committerJo-Philipp Wich <jo@mein.io>
Wed, 4 Apr 2018 22:15:22 +0000 (00:15 +0200)
commit186e690c08a8766aecf9a0ffc60b4475e366d723
tree320b100a84d90c2fca0ed970d3bb20864f1eab36tree | snapshot
parent697db81246bf9e3256c7217a00ee4e7757c87077commit | diff
luci-base: dispatcher: reject non-POST requests with any cbi.submit value

Due to the fact that luci.model.cbi reacts on any "cbi.submit" value while
the dispatcher only required POST for cbi.submit == 1, the CSRF token
protection could be bypassed.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
modules/luci-base/luasrc/dispatcher.lua diff | blob | history
Lua Configuration Interface (mirror)